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Abstract 

Effective enforcement of laws and policies requires 
expending resources to prevent and detect offend- 
ers, as well as appropriate punishment schemes 
to deter violators. In particular, enforcement of 
privacy laws and policies in modem organiza- 
tions that hold large volumes of personal infor- 
mation (e.g., hospitals, banks, and Web services 
providers) relies heavily on internal audit mecha- 
nisms. We study economic considerations in the 
design of these mechanisms, focusing in particu- 
lar on effective resource allocation and appropriate 
punishment schemes. We present an audit game 
model that is a natural generalization of a stan- 
dard security game model for resource allocation 
with an additional punishment parameter Com- 
puting the Stackelberg equilibrium for this game 
is challenging because it involves solving an opti- 
mization problem with non-convex quadratic con- 
straints. We present an additive FPTAS that effi- 
ciently computes a solution that is arbitrarily close 
to the optimal solution. 



1 Introduction 

In a seminal paper, Gary Becker 1' 19681 presented a com- 
pelling economic treatment of crime and punishment. He 
demonstrated that effective law enforcement involves optimal 
resource allocation to prevent and detect violations, coupled 
with appropriate punishments for offenders. He described 
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how to optimize resource allocation by balancing the societal 
cost of crime and the cost incurred by prevention, detection 
and punishment schemes. While Becker focused on crime 
and punishment in society, similar economic considerations 
guide enforcement of a wide range of policies. In this paper, 
we study effective enforcement mechanisms for this broader 
set of policies. Our study differs from Becker's in two sig- 
nificant ways — our model accounts for strategic interaction 
between the enforcer (or defender) and the adversary; and 
we design efficient algorithms for computing the optimal re- 
source allocation for prevention or detection measures as well 
as punishments. At the same time, our model is significantly 
less nuanced than Becker's, thus enabling the algorithmic de- 
velopment and raising interesting questions for further work. 

A motivating application for our work is auditing, which 
typically involves detection and punishment of policy viola- 
tors. In particular, enforcement of privacy laws and policies in 
modern organizations that hold large volumes of personal in- 
formation (e.g., hospitals, banks, and Web services providers 
like Google and Facebook) relies heavily on internal audit 
mechanisms. Audits are also common in the financial sector 
(e.g., to identify fraudulent transactions), in internal revenue 
services (e.g., to detect tax evasion), and in traditional law 
enforcement (e.g., to catch speed limit violators). 

The audit process is an interaction between two agents: a 
defender (auditor) and an adversary (audi tee). As an example, 
consider a hospital (defender) auditing its employee (adver- 
sary) to detect privacy violations committed by the employee 
when accessing personal health records of patients. While 
privacy violations are costly for the hospital as they result in 
reputation loss and require expensive measures (such as pri- 
vacy breach notifications), audit inspections also cost money 
(e.g., the cost of the human auditor involved in the investiga- 
tion). Moreover, the number and type of privacy violations 
depend on the actions of the rational auditee — employees 
commit violations that benefit them. 

1.1 Our Model 

We model the audit process as a game between a defender 
(e.g, a hospital) and an adversary (e.g., an employee). The 
defender audits a given set of targets (e.g., health record ac- 
cesses) and the adversary chooses a target to attack. The de- 
fender's action space in the audit game includes two com- 
ponents. First, the allocation of its inspection resources to 



targets; this component also exists in a standard model of se- 
curity games I Tambe, 201 1[ . Second, we introduce a con- 
tinuous punishment rate parameter that the defender employs 
to deter the adversary from committing violations. However, 
punishments are not free and the defender incurs a cost for 
choosing a high punishment level. For instance, a negative 
work environment in a hospital with high fines for violations 
can lead to a loss of productivity (see | |Becker, 19681 for a 
similar account of the cost of punishment). The adversary's 
utility includes the benefit from committing violations and 
the loss from being punished if caught by the defender Our 
model is parametric in the utility functions. Thus, depending 
on the application, we can instantiate the model to either al- 
locate resources for detecting violations or preventing them. 
This generality implies that our model can be used to study 
all the applications previously described in the security games 
literature [Tambe, 20111. 

To analyze the audit game, we use the Stackelberg equilib- 
rium solution concept I von Stackelberg, 1934| in which the 
defender commits to a strategy, and the adversary plays an 
optimal response to that strategy. This concept captures situa- 
tions in which the adversary learns the defender's audit strat- 
egy through surveillance or the defender publishes its audit 
algorithm. In addition to yielding a better payoff for the de- 
fender than any Nash equilibrium, the Stackelberg equilib- 
rium makes the choice for the adversary simple, which leads 
to a more predictable outcome of the game. Furthermore, this 
equilibrium concept respects the computer security principle 
of avoiding "security through obscurity" — audit mechanisms 
like cryptographic algorithms should provide security despite 
being publicly known. 

1.2 Our Results 

Our approach to computing the Stackelberg equilibrium is 
based on the multiple LPs technique of Conitzer and Sand- 
holm 120061. However, due to the effect of the punishment 
rate on the adversary's utility, the optimization problem in 
audit games has quadratic and non-convex constraints. The 
non-convexity does not allow us to use any convex optimiza- 
tion methods, and in general polynomial time solutions for 
a broad class of non-convex optimization problems are not 
known |Neumaier, 2004) . 

However, we demonstrate that we can efficiently obtain 
an additive approximation to our problem. Specifically, 
we present an additive fully polynomial time approximation 
scheme (FPTAS) to solve the audit game optimization prob- 
lem. Our algorithm provides a K-hit precise output in time 
polynomial in K. Also, if the solution is rational, our al- 
gorithm provides an exact solution in polynomial time. In 
general, the exact solution may be irrational and may not be 
representable in a finite amount of time. 



1.3 Related Work 

Our audit game model is closely 
rity games I jTambe , 20 1 1 1 . There 
(see, e.g., |Korzhyk et ai, 2010 



related to secu- 
ar e many papers 
|Pitaefk,2011[ 
and as our model 
adds the additional continuous punishment parameter, all the 
variations presented in these papers can be studied in the 



context of audit games (see Section |4|i. However, the audit 
game solution is technically more challenging as it involves 
non-convex constraints. 

An extensive body of work on auditing focuses on 
analyzing logs for detecting and explaining violations 
using techniques based on logic I Vaughan ef a/., 2008 



|Pita et ai, 2008| ) on security games, 



'Garg et a/., 201 1 1 and machine learning] Zheng et ai, 2006 
Bodikef fl/., 20101. In contrast, very few papers study eco- 
nomic considerations in auditing strategic adversaries. Our 
work is inspired in part by the model proposed in one such 
paper | |Blocki et a/., 2012) , which also takes the point of view 
of commitment and Stackelberg equilibria to study auditing. 
However, the emphasis in that work is on developing a de- 
tailed model and using it to predict observed audit practices 
in industry and the effect of public policy interventions on au- 
diting practices. They do not present efficient algorithms for 
computing the optimal audit strategy. In contrast, we work 
with a more general and simpler model and present an effi- 
cient algorithm for computing an approximately optimal au- 
dit strategy. Furthermore, since our model is related to the 
security game model, it opens up the possibility to leverage 
existing algorithms for that model and apply the results to the 
interesting applications explored with security games. 

IZhao and Johnson1 l l2008l model a specific audit strategy — 
"break the glass" — where agents are permitted to violate an 
access control policy at their discretion (e.g., in an emergency 
situation in a hospital), but these actions are audited. They 
manually analyze specific utility functions and obtain closed- 
form solutions for the audit strategy that results in a Stackel- 
berg equilibrium. In contrast, our results apply to any utility 
function and we present an efficient algorithm for computing 
the audit strategy. 

2 The Audit Game Model 

The audit game features two players: the defender (D), and 
the adversary (A). The defender wants to audit n targets 
ti, . . . , tn, but has limited resources which allow for auditing 
only one of the n targets. Thus, a pure action of the defender 
is to choose which target to audit. A randomized strategy is 
a vector of probabilities pi, . . . ,pn of each target being au- 
dited. The adversary attacks one target such that given the 
defender's strategy the adversary's choice of violation is the 
best response. 

Let the utility of the defender be U'jj{ti) when audited 
target ti was found to be attacked, and UJ^{ti) when unau- 
dited target ti was found to be attacked. The attacks (vi- 
olation) on unaudited targets are discovered by an external 
source (e.g. government, investigative journalists,...). Sim- 
ilarly, define the utility of the attacker as U\{ti) when the 
attacked target ti is audited, and U\{ti) when attacked tar- 
get ti is not audited, excluding any punishment imposed by 
the defender Attacks discovered externally are costly for the 
defender, thus, Uf^{ti) > U^{ti). Similarly, attacks not dis- 
covered by internal audits are more beneficial to the attacker, 
andU^lit,) > UKt,). 

The model presented so far is identical to security games 
with singleton and homogeneous schedules, and a single re- 
source I Korzhyk et al. , 2010) . The additional component in 



audit games is punishment. The defender chooses a punish- 
ment "rate" x £ [0,1] such that if auditing detects an attack, 
the attacker is fined an amount x. However, punishment is not 
free — the defender incurs a cost for punishing, e.g., for creat- 
ing a fearful environment. For ease of exposition, we model 
this cost as a linear function ax, where a > 0; however, our 
results directly extend to any cost function polynomial in x. 
Assuming x £ [0, 1] is also without loss of generality as util- 
ities can be scaled to be comparable to x. We do assume the 
punishment rate is fixed and deterministic; this is only natural 
as it must correspond to a consistent policy. 

We can now define the full utility functions. Given proba- 
bilities pi , . . . , p„ of each target being audited, the utility of 
the defender when target is attacked is 

pMoit*) + il-p*)U]^{t*) - ax. 
The defender pays a fixed cost ax regardless of the outcome. 
In the same scenario, the utility of the attacker when target 
is attacked is 

The attacker suffers the punishment x only when attacking an 
audited target. 

Equilibrium. The Stackelberg equilibrium solution involves 
a commitment by the defender to a strategy (with a possi- 
bly randomized allocation of the resource), followed by the 
best response of the adversary. The mathematical problem in- 
volves solving multiple optimization problems, one each for 
the case when attacking is in fact the best response of the 
adversary. Thus, assuming is the best response of the ad- 
versary, the optimization problem P* in audit games is 

max pMoit*) + {1 ~ p*)U]^{t^.) — ax , 

Pi 5^ 

subject to Vi 7^ *.p.,{U%iU) -x) + {l-p^)U^{U) 

< P.{U%{U) - a:) + (1 ~p.)Ul{U) , 
Vi. < K < 1 , 

< a; < 1 . 

The first constraint verifies that attacking i» is indeed a best 
response. The auditor then solves the n problems Pi , . . . , P„ 
(which correspond to the cases where the best response is 
i 1 , . . . , t„, respectively), and chooses the best solution among 
all these solutions to obtain the final strategy to be used for au- 
diting. This is a generalization of the multiple LPs approach 
of Conitzer and Sandholm [2006 1. 

Inputs. The inputs to the above problem are specified in K 
bit precision. Thus, the total length of all inputs is 0{nK). 
Also, the model can be made more flexible by including a 
dummy target for which all associated costs are zero (includ- 
ing punishment); such a target models the possibility that the 
adversary does not attack any target (no violation). Our result 
stays the same with such a dummy target, but, an additional 
edge case needs to be handled — we discuss this case in a re- 
mark at the end of Section [l!2l 

3 Computing an Audit Strategy 

Because the indices of the set of targets can be arbitrarily 
permuted, without loss of generality we focus on one opti- 
mization problem P„ (* = n) from the multiple optimization 



problems presented in Section |2] The problem has quadratic 
and non-convex constraints. The non-convexity can be read- 
ily checked by writing the constraints in matrix form, with a 
symmetric matrix for the quadratic terms; this quadratic-term 
matrix is indefinite. 

However, for a fixed x, the induced problem is a linear 
programming problem. It is therefore tempting to attempt a 
binary search over values of x. This naive approach does not 
work, because the solution may not be single-peaked in the 
values of x, and hence choosing the right starting point for 
the binary search is a difficult problem. Another naive ap- 
proach is to discretize the interval [0, 1] into steps of e', solve 
the resultant LP for the 1/e' many discrete values of x, and 
then choose the best solution. As an LP can be solved in poly- 
nomial time, the running time of this approach is polynomial 
in 1/ e', but the approximation factor is at least ae' (due to 
the ax in the objective). Since a can be as large as 2^, get- 
ting an e-approximation requires e' to be 2~^e, which makes 
the running time exponential in K. Thus, this scheme cannot 
yield an FPTAS. 

3.1 High-Level Overview 

Fortunately, the problem P„ has another property that allows 
for efficient methods. Let us rewrite P„ in a more compact 
form. Let A,,,, = [/^(t,) - U^U), A, = U':^{U) - U%{U) 
and6ij = U'^{ti) — U^{tj). A^,; and A^ are always positive, 
and P„ reduces to: 

max Pn^D.n + Uf){tn) - ax , 

subject to Vi ^ n. pi{—x — A^) + pn{x + A„) + Si^n < , 
Vi. < < 1 , 

< X < 1 . 

The main observation that allows for polynomial time 
approximation is that, at the optimal solution point, the 
quadratic constraints can be partitioned into a) those that are 
tight, and b) those in which the probability variables pi are 
zero (Lemma [U. Each quadratic constraint corresponding to 
Pi can be characterized by the curve Pn{x + A„) + 6i,n = 0. 
The quadratic constraints are thus parallel hyperbolic curves 
on the {pn , x) plane; see Figure [T] for an illustration. The 
optimal values Pn,x° partition the constraints (equivalently, 
the curves): the constraints lying below the optimal value are 
tight, and in the constraints above the optimal value the prob- 
ability variable pi is zero (Lemma|2]l. The partitioning allows 
a linear number of iterations in the search for the solution, 
with each iteration assuming that the optimal solution lies be- 
tween adjacent curves and then solving the sub-problem with 
equality quadratic constraints. 

Next, we reduce the problem with equality quadratic con- 
straints to a problem with two variables, exploiting the na- 
ture of the constraints themselves, along with the fact that the 
objective has only two variables. The two-variable problem 
can be further reduced to a single-variable objective using an 
equality constraint, and elementary calculus then reduces the 
problem to finding the roots of a polynomial. Finally, we use 
known results to find approximate values of irrational roots. 




-<5 = 1 



Figure 1 : The quadratic constraints are partitioned into those 
below (p° , x°) that are tight (dashed curves), and those above 
(p° , x°) where Pi — (dotted curves). 

3.2 Algorithm and Main Result 

The main resuh of our paper is the following theorem: 

Theorem 1. Problem Pn can be approximated to an addi- 
tive e in time 0{n^K + n'*log(i)) using the splitting circle 
method l\Schonhage, 1982^ for approximating roots. 

Remark The technique of Lenstra et al. II 198211 can be used 
to exactly compute rational roots. Employing it in conjunc- 
tion with the splitting circle method yields a time bound 
0{max{n^^K^ , n^K + n** log(l/e)}). Also, this technique 
finds an exact optimal solution if the solution is rational. 

Before presenting our algorithm we state two results about 
the optimization problem P„ that motivate the algorithm and 
are also used in the correctness analysis. The proof of the first 
lemma is omitted due to lack of space. 

Lemma 1. Lef x° be the optimal solution. Assume x° > 
and p°i^ < 1. Then, at p'^,x°, for all i ^ n, either pi — 
or p°^{x° + A„) + 6i,n — Pi{x° + Ai), i.e., the i^^ quadratic 
constraint is tight. 

Lemma 2. Assume x° > andp°^ < 1. Let p°^{x° + A„) + 
(5 = 0. If for some i, 6i^n < ^ then pi — 0. If for some i, 
6i^n > S then p'^{x" + An) + 6i^n = Pi{x° + Ai). Ifforsome 
i, St^n = Sthenpi = (x°+A„)+(5i^„ =Pi(x°+Ai). 

Proof. The quadratic constraint for Pi is p° (x°+A„)+(5i_„ < 
Pi{x° + Ai). By Lemma [T] either = or the constraint 
is tight. If Pn{x° + An) + 5i,n < 0, then, since > and 
x°-\-Ai > 0, the constraint cannot be tight. Hence, — 0. If 
Pn{x° + A„) + Si^n > 0, then, pi ^ Ooi else with pi = the 
constraint is not satisfied. Hence the constraint is tight. The 
last case with Pnix" + A„) + Si^n = is trivial. □ 

From Lemma |2l if p° , x° lies in the region between the 
adjacent hyperbolas given by Pn{x° + A„) + (5^ „ = and 
p° + A„) + Sj,n = (and < a;° < 1 and '< p° < 1), 
then Si^n < and Pi > and for the /c*'* quadratic constraint 
with Sk.n < 6i,n, Pk — and for the j*'* quadratic constraint 
with dj_n > Si,n, Pj 7^ and the constraint is tight. 

These insights lead to Algorithm[T] After handling the case 
of X = and p„ = 1 separately, the algorithm sorts the (5's to 



get 5(1). „, . . . , 5(n-i).n in ascending order Then, it iterates 
over the sorted (5's until a non-negative 6 is reached, assuming 
the corresponding pi's to be zero and the other quadratic con- 
straints to be equalities, and using the subroutine EQ_OPT 
to solve the induced sub-problem. For ease of exposition we 
assume 5's to be distinct, but the extension to repeated (5's is 
quite natural and does not require any new results. The sub- 
problem for the i*^ iteration is given by the problem Qn i- 



max 

a:,P(l),---,P(i),PT, 

subject to 



Pn^D.n - ax , 

Pn{x + An) + (5(i)^„ > , 

if z > 2 thenp„(a; + A„) + (5(i_i),„ < , 
Vj > z. pn{x + A„) + 5(j)_„ = P(j)(a; + Aj) , 
Vj > i. < PQ) < 1 , 
< Pii) < 1 , 

En— 1 ^ 
fc=» P{k) = 1 - P« , 

< p„ < 1 , 
< a; < 1 . 



The best (maximum) solution from all the sub-problems (in- 
cluding a; = and p„ — 1) is chosen as the final answer 



Lemma 3. Assuming EQ_OPT produces an e-additive ap- 
proximate objective value, Algorithm\I}finds an e-additive ap- 
proximate objective of optimization problem P„. 



The proof is omitted due to space constraints. 



Algorithm 1: APX_SOLVE(e, F„) 
I ■(r- prec{e, n, K), where prec is defined after Lemma]?] 



Sort (5's in ascending order to get (5(i) „, . 
with corresponding variables P(i), ■ ■ ■ ,P{ 
quadratic constraints C(i) , . . . , C(„_i) 
Solve the LP problem for the two cases when x 
Pn = 1 respectively. Let the solution be 
5",pOi),...,p^„_i),pO,xOand 

for i ^ 1 to n — 1 do 



(n-l). 

and 



Oand 



1 „ 1 ^ 1 respectively. 



iSS(i).n < V (5(,),„ > A (5(j_i),„ < 0) then 
PU) ^ foi" j < 

Set constraints C(i), . . . , C(„_i) to be equalities. 

S\pl,y. ■ .,pln^,yPl,,X^ ^ EQ_OPT(i, /) 

else 



f ^argma.x,{S-\S",S\. 

Unsortp^^p , 

xf 



/ 
Pi 



f 

^pL 
f 



.,5%..., 5"-!} 



(n-l) 



return p( , 



■ ,pi,^^ 



EQ_OPT solves a two-variable problem i?„ ^ instead of 
Qn,i- The problem R„.i is defined as follows: 

subject to 

Pnix + A„) + (5(i)_„ > , 

if i > 2 thenp„(a; + A„) + (5(i_i) „ < , 

Pn (l + J2j:i<j<n-1 a:+A(") ) ^ ^ ~ 
< p„ < 1 , 

< X < 1 . 



Algorithm 2: EQ_OPT(i,/) 



Define Fi{x) = , , ' 
Define 



feas{x) = 



true {x, Fi{x)) is feasible for i?„ 



^j:i<j"<n-l £C+Ay) 



The following result justifies solving Rn^i instead of Qn,i- 
Lemma 4. Qn,i and Rn.i are equivalent for all i. 

Proof. Since the objectives of both problems are identical, 
we prove that the feasible regions for the variables in the ob- 
jective {pn, x) are identical. Assume pn,x,p(^i), . . . ,P(„_i) 
is feasible in Qn,i- The first two constraints are the same 
in Qn,i and Rn.i- Divide each equality quadratic constraint 
corresponding to non-zero p(j') by a; + A(j). Add all such 
constraints to get: 



false otherwise 
Find polynomials /, g such that = Fi {x)Ao.n — ax 
h{x) ^ g{x)f{x) - f{x)g'{x) 
{ri,...,r4 ^ ROOTS{h{x),l) 



{r,+i,...,rt} ^ ROOTS(^^,(a 
{rt+i,...,r„}^ ROOTS(F,(2;),0 

r„+i ^ 1 

for fc 1 to u + 1 do 
if feas{rk) tlien 



x+A, 



-J) 



J2 



j:l<j<i 



X + Ar. 



- E : 

j:l<j<l 



A 



Then, since Y.k:i<k<i P{k) = l-Pn'^Q get 



P J 1 + E 



X + A, 



j:2<j<n — 1 



A 



0) 



E 

j:i<j<n-l 



else 



if feas{rk — 2 ') then 
else 



Ok ^ ■^('•"-r,' ; Tk^rk- 2-' 



if feas{rk + 2 ') then 

else 

|_ Oa.. ^ oo 



Hi) 



The last two constraints are the same in Qn,^ and i?„_i 
Next, assume a; is feasible in Rn.i- Choose 



b <- argmaxfe{Oi, . . . , O^, . . . , 0„+i} 
P(j) ^ for j < i 

p„(r6 + A„) + „ 
PO) ^ 



x + A^ 
x + A( 



Ho), 



Hj) J ^ + ^(j) 
Since p„(a:; + A„) + > 0, we have p(i) > 0, and since 
Pn(x + A„) + (5(j),n > for j > i ((5's are distinct) we have 
> 0. Also, 



return Ob,p(i), . . . ,p(„_i),p„, 



forj G 1} 



The limit point on the open boundary Pnix + A„) + 
^(i-i),n < is given by the roots of Fi{x) + " 



ri-l 



E 



a; + A„ 



\r.i<j<n-\ 



x + A 



(i) 



E 



x + A 



(i) 



which by the third constraint of Rn.i is 1 — p„. This implies 
P(j) < 1. Thus, Pn, x,p(i'i, . . . ,P(n-i) is feasible in Qn,i. 

□ 

The equality constraint in Rn,i, which forms a curve Ki, 
allows substituting p„ with a function Fi{x) of the form 
f{x)/g{x). Then, the steps in EQ_OPT involve taking the 
derivative of the objective f{x) / g{x) and finding those roots 
of the derivative that ensure that x and p„ satisfy all the con- 
straints. The points with zero derivative are however local 
maxima only. To find the global maxima, other values of x of 
interest are where the curve Ki intersects the closed bound- 
ary of the region defined by the constraints. Only the closed 
boundaries are of interest, as maxima (rather suprema) at- 
tained on open boundaries are limit points that are not con- 
tained in the constraint region. However, such points are cov- 
ered in the other optimization problems, as shown below. 



This 

point is the same as the point considered on the closed bound- 
ary Pn{x + A„) + (5(i_i)^„ > in problem Rns^i given by 

roots of + , since Fi^i{x) = Fi{x) when 

Pn{x + An)+Si^i_i') n ~ 0. Also, the Other cases when X = 
and Pn — I are covered by the LP solved at the beginning of 
Algorithm [T] 

The closed boundary in i?„ ^ are obtained from the con- 



straint p„{x + An) 



> 0, < Pn and a; < 1. The 



value X of the intersection of p„(a; + A„) + S{i)^n = and 
Ki is given by the roots of Fi (x) + = 0. The value 

X of the intersection of p„ — and Ki is given by roots of 
Fi (x) = 0. The value x of the intersection of a; = 1 and Ki 
is simply x = 1. Additionally, as checked in EQ_OPT, all 
these intersection points must lie with the constraint regions 
defined in Qn,i. 

The optimal x is then the value among all the points of in- 
terest stated above that yields the maximum value for 
Algorithm |2] describes EQ_OPT, which employs a root find- 
ing subroutine ROOTS. Algorithm |2] also takes care of ap- 



proximate results returned by the ROOTS. As a result of the 
2^' approximation in the value of x, the computed x and p„ 
can lie outside the constraint region when the actual x and p„ 
are very near the boundary of the region. Thus, we check for 
containment in the constraint region for points a; ± 2^' and 
accept the point if the check passes. 

Remark (dummy target): As discussed in Section |2] we 
allow for a dummy target with all costs zero. Let this target be 
to. For n not representing 0, there is an extra quadratic con- 
straint given by po(— — Aq) +p„(x+A„) +(5o,„ < 0,but, 
as xq and Aq are the constraint is just p„ (a; + A„) +(5o.ri < 
0. When n represents 0, then the i*'* quadratic constraint is 
Pi{—x — Ai) + 6i,o < 0, and the objective is independent of 
Pn as Ad „ = 0. We first claim that = at any optimal 
solution. The proof is provided in Lemma |9] in Appendix. 
Thus, Lemma [T] and |2] continue to hold for i = 1 to n — 1 
with the additional restriction that p° (a;° + A„) + (5o,n < 0. 

Thus, when n does not represent 0, Algorithm[T]runs with 
the the additional check (5(i) „ < (5o, n in the if condition inside 
the loop. Algorithmic stays the same, except the additional 
constraint that po = 0. The other lemmas and the final results 
stay the same. When n represents 0, then x needs to be the 
smallest possible, and the problem can be solved analytically. 

3.3 Analysis 

Before analyzing the algorithm's approximation guarantee 
we need a few results that we state below. 

Lemma 5. The maximum bit precision of any coefficient of 
the polynomials given as input to ROOTS is 2n{K + 1.5) + 
log(n). 

Proof. The maximum bit precision will be obtained in 
g{x)f'{x) — f{x)g'{x). Consider the worst case when i = 1. 
Then, f{x) is of degree n and g{x) of degree n ~ 1. There- 
fore, the bit precision of f{x) and g{x) is upper bounded by 
fiK + log(( Jy2))' where nK comes from multiplying n K- 
bit numbers and log( (^"a) ) arises from the maximum number 
of terms summed in forming any coefficient. Thus, using the 
fact that (J/2) < (2e)"/2 upper bound is approximately 

n{K+l.b). We conclude that the bit precision of g{x)f'{x) — 
f{x)g'{x) is upper bounded by 2n{K + 1.5) + log(n). □ 

We can now use Cauchy's result on bounds on root of poly- 
nomials to obtain a lower bound for x. Cauchy's bound states 
that given a polynomial a„a;" + . . . + oq, any root x satisfies 

|a;| > 1/ (l+max{|a„|/|ao|,...,|ai|/|ao|}) . 

Using Lemma|5]it can be concluded that any root returned by 
ROOTS satisfies x > 2-4n(if+i.5)-2iog(«)-i^ 

Lets = 2-4»(^+i-5)-2iogH-i. The following lemma 
(whose proof is omitted due to lack of space) bounds the ad- 
ditive approximation error 

Lemma 6. Assume x is known with an additive accuracy of 
e, and e < B/2. Then the error in the computed F{x) is at 



most e*, where * = Y+^Y^+iX 



and 



X = min 



1^. 



E 



2Si 



j:i<j<n-l. 
Si„<0 



j:i<j<n-l, 
<5,-,„>0 



Y 



iin{ 



^ 2(A„- Aj-) ' 
(B + A,)2' 2^ (S + A,)2 , 

]:i<]<n-l, ^ ■" j:i<j<n-l, ^ ■" 

A„-A3<0 A„-Aj>0 

Moreover, * is o/or^fer 0(n2(8"(-^+i-5)+4i°g(")+^'). 

We are finally ready to establish the approximation guar- 
antee of our algorithm. 

Lemma 7. Algorithm\l\solves problem P„ with additive ap- 
proximation term e ;/ 

I > max|l+log( ■ 



Ao.ii'I'+a 



Also, as log( 

0{nK + \oga)): 



l,4n(i4: + 1.5) + 21og(n) + 3}. 

t 

) = 0{nK + log(i)), I is of order 



Proof. The computed value of x can be at most 2 • 2^' far 
from the actual value. The additional factor of 2 arises due to 
the boundary check in EQ_OPT. Then using Lemma|6] the 
maximum total additive approximation is 2 ■ 2^'A^) + 

2 • 2^'a. For this to be less than e, Z > 1 + log(- 



The other term in the max above arises from the condition 
e < B/2 (this e represents 2 • 2^') in Lemma|6] □ 

Observe that the upper bound on if) is only in terms of n 
and K. Thus, we can express I as a function of e, n and K — 
/ — prec{e, n, K). 

We still need to analyze the running time of the algorithm. 
First, we briefly discuss the known algorithms that we use 
and their corresponding running-time guarantees. Linear pro- 
gramming can be done in polynomial time using Karmakar's 
algorithm [' Karmarkar, 1984j with a time bound of 0{ll?^^L), 
where L is the length of all inputs. 

The splitting circle scheme to find roots of a polynomial 
combines many varied techniques. The core of the algo- 
rithm yields linear polynomials Li = aiX + hi (a, b can be 
complex) such that the norm of the difference of the actual 
polynomial P and the product Y[i Li is less than 2^*, i.e., 
\P — Y\iLi\ < 2~^. The norm considered is the sum of 
absolute values of the coefficient. The running time of the 
algorithm is 0{n? log n + n^s) in a pointer based Turing ma- 
chine. By choosing s = 6{nl) and choosing the real part of 
those complex roots that have imaginary value less than 2^', 
it is possible to obtain approximations to the real roots of the 
polynomial with I bit precision in time 0(ri'^logn + n^l). 
The above method may yield real values that lie near com- 
plex roots. However, such values will be eliminated in taking 
the maximum of the objective over all real roots, if they do 
not lie near a real root. 

LLL | |Lenstra ef g/., 1982 1 is a method for finding a short 
basis of a given lattice. This is used to design polyno- 
mial time algorithms for factoring polynomials with ratio- 
nal coefficients into irreducible polynomials over rationals. 



The complexity of this well-known algorithm is 0((n^^ + 
n^{\og \f\)^), when the polynomial is specified as in the field 
of integers and |/| is the Euclidean norm of coefficients. For 
rational coefficients specified in k bits, converting to integers 
yields log |/| ~ i logn + k. LLL can be used before the 
splitting circle method to find all rational roots and then the 
irrational ones can be approximated. With these properties, 
we can state the following lemma. 

Lemma 8. The running time of Algorithm\l\with input ap- 
proximation parameter e and inputs of K bit precision is 
bounded by 0{n^K + log(-i)) . Using LLLyields the run- 
ning time 0{n\a,yi{n}^ ^ rV'K + log(7)}) 

Proof. The length of all inputs is 0{nK), where K is the 
bit precision of each constant. The linear programs can be 
computed in time 0{n'^^^K). The loop in Algorithm [T] runs 
less than n times and calls EQ_OPT. In EQ_OPT, the com- 
putation happens in calls to ROOTS and evaluation of the 
polynomial for each root found. ROOTS is called three times 
with a polynomial of degree less than 2n and coefficient bit 
precision less than 2n{K + 1.5) + log(n). Thus, the total 
number of roots found is less than 6n and the precision of 
roots is I bits. By Horner's method | |Horner, 1819| , polyno- 
mial evaluation can be done in the following simple man- 
ner: given a polynomial a„x" + . . . + to be evaluated 
at xq computing the following values yields the answer as 
bo, bn = a„, bn-i = a„_i + bnXo, bo = ao + bixo- 
From Lemma|7]we get / > 2n{K + 1.5) + log(?T.), thus, bi 
is approximately (n + 1 — i)l bits, and each computation in- 
volves multiplying two numbers with less than {n + 1 — i)l 
bits each. We assume a pointer-based machine, thus multi- 
plication is linear in number of bits. Hence the total time 
required for polynomial evaluation is 0{n^l). The total time 
spent in all polynomial evaluation is 0{n?l). The splitting 
circle method takes time 0{rt' logn + Using Lemma]?] 
we get 0{n^K + log(i)) as the running time of EQ_OPT. 
Thus, the total time is 0{n^K + log{^)). 

When using LLL, the time in ROOTS in dominated by 
LLL. The time for LLL is given by 0{n^^ + n^(logn + 
nK)^), which is 0{n^^K^). Thus, the overall the time is 
bounded by 0{max{n^^K^, n'^l), which using Lemma|7]is 



4 Discussion 

We have introduced a novel model of audit games that 
we believe to be compelling and realistic. Modulo the 
punishment parameter our setting reduces to the simplest 
model of security games. However, the security game 
framework is in general much more expressive. The 
model IKiekintveld et ai, 2009| includes a defender that con- 
trols multiple security resources, where each resource can be 
assigned to one of several schedules, which are subsets of tar- 
gets. For example, a security camera pointed in a specific 
direction monitors all targets in its field of view. As audit 
games are also applicable in the context of prevention, the 
notion of schedules is also relevant for audit games. Other ex- 
tensions of security games are relevant to both prevention and 



detection scenarios, including an adversary that attacks multi- 
ple t argets |Korzhyk et ai, 201 T |, and a defender with a bud- 
get I Bhattacharya et ai, 201 1) . Each such extension raises 
difficult algorithmic questions. 

Ultimately, we view our work as a first step toward a com- 
putationally feasible model of audit games. We envision a 
vigorous interaction between AI researchers and security and 
privacy researchers, which can quickly lead to deployed ap- 
plications, especially given the encouraging precedent set by 
the deployment of security games algorithms | ,Tambe, 201 IJ . 
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A IMissing proofs 

Proof of LemmaU] We prove the contrapositive. Assume 
there exists a i such that pi ^ and the quadratic con- 
straint is not tight. Thus, there exists an e > such that 

p^{-x° - Ai) + A„) + Si^,, + e = . 

We show that it is possible to increase to p° by a small amount 
such that all constraints are satisfied, which leads to a higher 
objective value, proving that p° , x° is not optimal. Remem- 
ber that all A's are > 0, and x > 0. 

We do two cases: (1) assume V? ^ n. p° + A„) + i5/_„ ^ 
0. Then, first, note that p° can be increased by or less and 
and Pi can be decreased by to still satisfy the constraint, as 
long as 

e^(x° + AO + e.(x° + A„) <e. 



It is always possible to choose such > 0, > 0. Second, 
note that for those j's for which pj = we get p° {x" + A„) + 
<5j,ri < 0, and by assumption p° (a;° + A„) + (5j_„ 7^ 0, thus, 
pi{x° + An) + Sj^n < 0. Let Ej be such that {p° + ej){x° + 
A*) + (5j „ = 0, i.e., p° can be increased by Cj or less and the 
j*'* constraint will still be satisfied. Third, for those fc's for 
which pk 0, p° can be increased by Cfe or less, which must 
be accompanied with e'j, = fsqi^efc increase in pk in order 

to satisfy the fc*'' quadratic constraint. 

Choose feasible e'^'s (which fixes the choice of also) 
such that e- — J2k ^'k > 0. Then choose an increase in Pi. 
e'l < e ■ such that 

e„ = e" — / e'fe > and e„ < mm{ei, min Cj, min e^} 

^ Pj=o Pk¥=o 

Increase p° by e„, p^'s by ej^. and decrease pi by e" so that 
the constraint J^i Pi = 1 is still satisfied. Also, observe that 
choosing an increase in p° that is less than any e^, any ej, 
satisfies the quadratic constraints corresponding to p^'s, pj's 
and Pi respectively. Then, as e„ > we have shown that p° 
cannot be optimal. 

Next, for the case (2) if J3° (a;° + A„) + Si^„ = for some 
I then pi — 0, , Si n < and the objective becomes 

A _ ^hH _ A 

Pn 

Thus, increasing p„ increases the objective. Note that choos- 
ing a lower than x° feasible value for x, results in an higher 
than p° value for p„. Also, the fc*'* constraint can be written 
^s,pk{—x — Ak)+Sk,n — Si^n < 0. We show that it is possible 
to choose a feasible x lower than x°. If for some j, pj — 0, 
then X can be decreased without violating the corresponding 
constraint. Let pt's be the probabilities that are non-zero and 
let the number of such pt's be T. By assumption there is an 
i 7^ I such that Pi > and 

Pi{-X° - Ai) + Si^n - Si^n + e = . 

For i, it is possible to decrease pi by e,; such that ei{x° + 
Ai) < e/2, hence the constraint remains satisfied and is still 
non-tight. 

Increase each pt by e^/T so that the constraint ^iPi — 1 
is satisfied. Increasing pt makes the t*^ constraint becomes 
non-tight for sure. Then, all constraints with probabilities 
greater than are non-tight. For each such constraint it is 
possible to decrease x (note x° > 0) without violating the 
constraint.Thus, we obtain a lower feasible x than x", hence 
a higher p„ than p° . Thus, p° , x° is not optimal. □ 

Proof of Lemma\3\ If p°n{x° + A„) + 5i,n > andp°(a;° + 
A„) + 6j,n < 0, where Sj^n < S^,n and $k. Sj^n < h,n < 
Si^n, then the exact solution of the i*'* subproblem will be 
Pn,x°. Now, since < a; < 1 and < p„ < 1, there 
is one i for which + A„) + Si n > and p°(a;° + 

A„) + 6j,n < 0, and thus the solution of this sub-problem 
will return the maximum value. The solution of other sub- 
problems will return a lower value as the objective is same in 
all sub-problems. Hence, maximum of the maximum in each 
iteration is the global maximum. The approximation case is 
then an easy extension. □ 



Proof of Lemma |6] 
A„ - A, 
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Using the inequalities above 
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A, 



< 



A„ - A, 



2e 



A„ - Aj- 
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< 1 /2. The latter condition is true 



If Pn < 'fp, then since F{x^) > 0, we have F{x) > Pn — i^- 
If > V'^ then since S > 1, A > t/j we have 
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And, as p„ < 1 we have F(xe) > Pn ~ + Y)- Thus, 
F(a;e) > Pn — €mm{ip, ^ + F}. The minimum is less that 

M^:^i_^he positive root of V' - ^0 - X = 0, that is y+vTOx ^ 

□ 
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and using the fact that > 1 — e. 
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B Dummy Target 

Lemma 9. If a dummy target to is present for the optimiza- 
tion problem described in Section |2] then pq = at optimal 
point p'^jX", where x° > 0. 



a; + e + Aj 
if A„ - Aj < 0. Thus, 
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Thus, using the fact that x > B we have 
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Proof. We prove a contradiction. Let po > at optimal point. 
If the problem under consideration is when n represents 0, the 
objective is not dependent on p„ and thus, then we want to 
choose x as small as possible to get the maximum objective 
value. The quadratic inequalities are pi{—x° — Ai) + Si^o < 
0. Subtracting e from po and adding e/n to all the other pi, 
satisfies the J^iPi — 1 constraint. But, adding e/n to all 
the other pi, allows reducing x° by a small amount and yet, 
satisfying each quadratic constraint. But, then we obtain a 
higher objective value, hence x° is not optimal. 

Next, if the problem under consideration is when n does 
not represents 0, then an extra constraint is p°(a;° + A„) + 
I A„ — < 0. Subtracting e from po and adding e/(n — 1) to all 
(B + Ath?^ Other pi (except satisfies the J2iPi — ^ constraint. 
j:*<j<«-i,A^-A,<o Also, each constraint pi(-a;°-Ai) +p°(a;° + A„) + (5j^„ < 

" ~ ^j) \ becomes non-tight (may have been already non-tight) as a 
(B + Aj)2 J i-esuhof increasing pi. Thus, now x° can be decreased (note 
x° > 0). Hence, the objective increases, thus Pn,x° is not 
optimal. □ 
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Very similar to the above proof we also get 
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Then given 



